Prepare and sign an application executable (EXE) file

ylwong

To prepare and sign an application executable (EXE) file using an Extended Validation (EV) Code Signing Certificate stored on a USB token for submission to the Microsoft Store, follow these detailed, step-by-step instructions.

Prerequisites

Tools Required:
- EV Code Signing Certificate on a USB token (e.g., Sectigo, DigiCert).
- SignTool.exe (included in the Windows SDK).
- Microsoft Store Developer Account.
- Microsoft Partner Center access (for submission).
- Windows machine with the token drivers and certificate software installed (e.g., SafeNet Authentication Client).
Prepare your EXE:
- Ensure your executable is optimized and compiled as a release build.
- Remove any unnecessary files from the package.

Steps for Manual EV Code Signing of EXE File

Step 1: Install the Windows SDK

Download and install the latest Windows SDK from Microsoft.
The SDK includes SignTool.exe, which you’ll use to sign your application.

Step 2: Connect and Unlock the USB Token

Insert the USB token containing your EV certificate into the computer.
Launch the SafeNet Authentication Client (or the appropriate certificate manager for your token).
Authenticate with your PIN to unlock access to the EV certificate.

Step 3: Open Command Prompt as Administrator

Press Win + R, type cmd, and press Ctrl + Shift + Enter to open the Command Prompt with admin privileges.

Step 4: Locate Your EXE File and SignTool

Make sure your EXE is built and placed in a specific folder.

Navigate to the SignTool location. The path is typically:

   C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64

Replace <version> with the correct SDK version installed.

Step 5: Get the Thumbprint of Your Certificate

Run the following command to list certificates on your USB token:

   certutil -scinfo

Locate your EV certificate and copy the thumbprint.

Step 6: Sign the EXE File Using SignTool

Use SignTool.exe to sign your EXE file. Below is the command format:

signtool sign /f "YourEVCertFile.pfx" /a /t http://timestamp.digicert.com /p YourPassword "C:\Path\To\YourApplication.exe"

Since the EV cert is on a USB token, use this command instead:

signtool sign /sm /sha1 <THUMBPRINT> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "C:\Path\To\YourApplication.exe"

Explanation:

/sm: Use the smart card (USB token) store.
/sha1 <THUMBPRINT>: Use the certificate identified by its SHA1 thumbprint.
/tr: Specify a RFC 3161 timestamp server.
/td SHA256: Use SHA256 digest for timestamp.
/fd SHA256: Use SHA256 for the file signature.

Step 7: Verify the Signature

After signing, verify the signature to ensure it’s valid:

signtool verify /pa /v "C:\Path\To\YourApplication.exe"

/pa: Use the default Authenticode verification policy.
/v: Verbose output to see detailed info.

Submitting the Signed EXE to the Microsoft Store

Step 8: Prepare Your App for Submission

Package the EXE with all required dependencies (if applicable).
Create an App Manifest (.appxmanifest) if required by the Microsoft Store.

Run the Windows App Certification Kit (WACK) to test your application package.

   C:\Program Files (x86)\Windows Kits\10\App Certification Kit\appcert.exe

Step 9: Upload to Microsoft Store

Log in to Partner Center: Microsoft Partner Center.
Create a new app submission.
Fill in all the required metadata:
- App Name, Description, Category, etc.
- Upload the signed EXE and related files.

Step 10: Certification Review and Publishing

Microsoft will review your submission for compliance.
If approved, the application will be available in the Microsoft Store.

Troubleshooting Tips

PIN Issues: If the USB token is not responding, reconnect it and make sure the correct PIN is used.
Timestamp Error: Ensure the timestamp server is reachable. You can try other timestamp servers:
- http://timestamp.comodoca.com/rfc3161
- http://timestamp.globalsign.com/scripts/timestamp.dll
Invalid Signature: Double-check the thumbprint and ensure the certificate is not expired.

By following these steps, your EXE will be properly signed with an EV Code Signing Certificate and ready for submission to the Microsoft Store.

ylwong

To automatically sign your application executable (EXE) file using an EV Code Signing Certificate on a USB token in Visual Studio, follow these detailed, step-by-step instructions. Visual Studio has built-in support for code signing, which simplifies the process.

Prerequisites

EV Code Signing Certificate on a USB token (e.g., from Sectigo, DigiCert, GlobalSign).
Visual Studio installed on your machine.
USB token software (e.g., SafeNet Authentication Client) installed and working, with the token drivers.
Microsoft Store Developer Account (if you're publishing to the Microsoft Store).

Steps for Automatic EV Code Signing in Visual Studio

Step 1: Install USB Token Drivers and Unlock the Token

Insert the USB token into your computer.
Ensure that the token's software (e.g., SafeNet Authentication Client) is installed.
Use the SafeNet Authentication Client (or similar software) to authenticate with your PIN and unlock the token.

Step 2: Set Up Your Visual Studio Project

Open your project in Visual Studio.
Build your project and ensure that it compiles without errors in Release Mode.
- Select Release from the drop-down menu on the toolbar.

Step 3: Access Project Properties for Signing

Right-click on your project in Solution Explorer and select Properties.
Navigate to the Signing tab on the left-hand side.

Step 4: Enable ClickOnce Security Settings

If your project uses ClickOnce Deployment, you can sign both the assembly and the deployment:

Check the box that says Sign the ClickOnce manifests.
Under Certificate, click on Select from Store.
In the Select Certificate window, find your EV Code Signing Certificate by thumbprint, issuer name, or description, and select it. It should show that it is stored on your USB token.

Step 5: Configure Strong Name Signing (Optional)

Still within the Signing tab of project properties, check the box that says Sign the assembly.
Click on Choose a strong name key file, and either create a new key file or import an existing one if you have it.

Step 6: Automatically Sign the EXE File During Build

To have Visual Studio sign your executable automatically during the build process, you'll modify the project file to invoke SignTool with the correct options during the build.

Open your .csproj (or other project file type) in Visual Studio by right-clicking the project name in Solution Explorer and selecting Edit .csproj.
Add the following XML code to configure SignTool to use your EV certificate:

<Target Name="AfterBuild">
  <Exec Command='&quot;$(DevEnvDir)..\..\..\..\bin\signtool.exe&quot; sign /sm /sha1 <THUMBPRINT> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 &quot;$(TargetPath)&quot;' />
</Target>

Replace <THUMBPRINT> with the thumbprint of your EV certificate. You can find this by opening the Certificate Manager (certmgr.msc) and navigating to Personal > Certificates, finding your EV certificate, and copying its SHA-1 thumbprint.
Adjust the timestamp URL if you're using a different timestamp authority.
Save and close the .csproj file.

Step 7: Build the Project

After you configure the signtool command, every time you build the project in Release mode, Visual Studio will automatically sign the EXE file with your EV certificate.
Build the project by selecting Build > Build Solution or pressing Ctrl + Shift + B.

Step 8: Verify the Signed EXE

After the build completes, you can verify that the EXE file has been signed correctly:

Go to the build output directory (usually bin\Release).
Right-click on your EXE file and select Properties.
Go to the Digital Signatures tab to verify that your EXE is signed with your EV certificate.

If you prefer, you can also run this command in the Command Prompt to verify:

signtool verify /pa /v "C:\Path\To\YourApplication.exe"

Publishing to the Microsoft Store

Step 9: Test Your Application with the Windows App Certification Kit (Optional)

Before submitting to the Microsoft Store, you should test the application with the Windows App Certification Kit (WACK) to ensure it meets Microsoft Store requirements.

Download and run the Windows App Certification Kit from the Microsoft website.
Follow the on-screen instructions to validate your app.

Step 10: Submit to Microsoft Store

Log in to the Microsoft Partner Center and navigate to your app.
Create a new submission, fill in the required details, and upload the signed EXE.
Follow the submission process and wait for the review.

Troubleshooting Tips

Token Not Detected: Ensure the token software is correctly installed, and the USB token is recognized. Reinsert the token and restart Visual Studio if necessary.
Certificate Not Found: Ensure the certificate is installed in the correct store (e.g., Personal > Certificates) and is marked as valid.
Build Fails: Double-check the paths and syntax in the .csproj file. Ensure the signtool path and thumbprint are correct.

By following these steps, Visual Studio will automatically sign your EXE file during the build process using your EV code signing certificate on a USB token.